Compare commits

...

8 Commits

Author SHA1 Message Date
1a1351ddcb Merge pull request 'Fix #18: migratie-ledger-sync + deploy-proof Azure SSO' (#19) from fix/issue-18-migration-ledger-sso into main
All checks were successful
On Push to Main / test (push) Successful in 32s
On Push to Main / publish (push) Successful in 1m8s
On Push to Main / deploy-dev (push) Successful in 3m0s
Reviewed-on: #19
2026-07-11 11:54:37 +00:00
RaymondVerhoef
d79e69aad2 fix: heal migration-ledger mismatch and make Azure SSO deploy-proof (#18)
All checks were successful
On Pull Request to Main / test (pull_request) Successful in 39s
On Pull Request to Main / publish (pull_request) Successful in 1m9s
On Pull Request to Main / deploy-dev (pull_request) Successful in 3m1s
PocketBase on Labs crash-looped since the SSO deploy (PR #17): mounting
--migrationsDir for the first time replayed the entire migration history
against a database that was provisioned out-of-band (empty _migrations
ledger) and died on 1778948471_created_content.js. On top of that the
team_members->auth migration had its own crash paths and trapped OAuth2
config inside a one-shot, env-dependent migration.

- pb_migrations/1000000000_baseline_ledger_sync.js: detects an
  out-of-band provisioned DB (schema exists, ledger empty) and marks the
  79 historical migrations as applied; no-op on fresh or already-synced DBs
- pb_migrations/1781000000_team_members_to_auth.js: idempotency guard,
  relation->text conversion WITH data preservation (PocketBase diffs
  fields by id, so the column is backed up and restored via SQL), unique
  index rebuild, no silent catches, env only as fast-path
- pb_hooks/entra_oidc.pb.js + pb_hooks/utils.js: reconcile the Entra OIDC
  provider from ENTRA_* env on every bootstrap + cron tick
  (compare-before-save, warn-once); heals environments that migrated
  without secrets and supports secret rotation without re-apply
- pb_hooks/team_members.pb.js: require() pattern — JSVM runs callbacks as
  isolated programs, top-level helpers are not in scope (adopts Leroy's
  fix from the fix-sso branch)
- infra/*/site/deploy-playbook.yml: health-gate after compose up — the
  deploy fails loudly with container logs when PocketBase does not become
  healthy (runs #83-#88 were green while PB crash-looped)
- docker-compose.yml: .env.local is optional again
- docs/auth-spec.md + AI_AGENT.md: ledger/reconciler documentation, ADRs
  006-008, never-rename-applied-migrations warning

Verified locally against PocketBase v0.30.4 with a 7-scenario DoD matrix
(fresh DB +/- env, out-of-band DB with data incl. data preservation,
populated-ledger upgrade, late-secrets healing, re-run guard, hook
provisioning): 15/15 pass. npm test 112/112.

Closes #18

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-11 11:14:09 +02:00
RaymondVerhoef
89d3395a62 feat: enhance OIDC configuration for Azure login and improve error handling in API responses
All checks were successful
On Push to Main / test (push) Successful in 56s
On Push to Main / publish (push) Successful in 1m24s
On Push to Main / deploy-dev (push) Successful in 2m58s
2026-07-11 10:19:54 +02:00
RaymondVerhoef
d5191073f0 feat: migrate team_members to OIDC-based auth collection and update docker-compose environment configuration
All checks were successful
On Push to Main / test (push) Successful in 57s
On Push to Main / publish (push) Successful in 1m16s
On Push to Main / deploy-dev (push) Successful in 3m0s
2026-06-25 18:05:39 +02:00
fab7a12f7b Merge pull request 'fix/issue-16-azure-login' (#17) from fix/issue-16-azure-login into main
All checks were successful
On Push to Main / test (push) Successful in 30s
On Push to Main / publish (push) Successful in 1m15s
On Push to Main / deploy-dev (push) Successful in 2m54s
Reviewed-on: #17
2026-06-24 14:00:40 +00:00
RaymondVerhoef
fe99381cb7 ci: pass Entra (Azure) secrets to deploy playbooks (#16)
All checks were successful
On Pull Request to Main / test (pull_request) Successful in 55s
On Pull Request to Main / publish (pull_request) Successful in 1m16s
On Pull Request to Main / deploy-dev (pull_request) Successful in 3m2s
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 15:57:33 +02:00
RaymondVerhoef
3af105bccd feat: Azure (Entra ID) login as user login (#16)
Replaces the client-side PIN login with real authentication against Azure
Entra ID via PocketBase's built-in OAuth2 (OIDC) flow. Every Azure user is
auto-provisioned as a team_member on first login.

- pb_migrations: team_members becomes a PocketBase auth collection (OIDC
  provider configured from env); all collections require @request.auth.id
- pb_hooks: provisioning of role (ENTRA_ADMIN_EMAILS allow-list) and
  enrollment_status, with admin-role re-sync on every login
- frontend: "Sign in with Microsoft" login, pb.authStore-based session,
  TeamManager manages roster/roles (no PIN/manual create)
- infra: Entra env wiring + pb_hooks mount for dev (Labs) and prod
- src/lib/azureAuth.js + tests for the canonical role/allow-list logic
- docs/auth-spec.md

Knowledge base, generated tests and micro-learnings are left untouched.
Existing PIN users are dropped (no migration required, per sign-off).

Closes #16

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:41:08 +02:00
5f34a6f825 Merge pull request 'Bescherm excluded en locked topics tegen AI-deletion/merge' (#15) from fix/protect-excluded-locked-topics into main
All checks were successful
On Push to Main / test (push) Successful in 36s
On Push to Main / publish (push) Successful in 1m19s
On Push to Main / deploy-dev (push) Successful in 1m45s
Reviewed-on: #15
2026-06-04 06:29:33 +00:00
25 changed files with 1192 additions and 170 deletions

View File

@@ -28,4 +28,8 @@ jobs:
-i infra/development/hosts.ini \ -i infra/development/hosts.ini \
-e "ansible_ssh_private_key_file=~/.ssh/deploy_key" \ -e "ansible_ssh_private_key_file=~/.ssh/deploy_key" \
-e "anthropic_api_key=${{ secrets.ANTHROPIC_API_KEY }}" \ -e "anthropic_api_key=${{ secrets.ANTHROPIC_API_KEY }}" \
-e "entra_tenant_id=${{ secrets.ENTRA_TENANT_ID }}" \
-e "entra_client_id=${{ secrets.ENTRA_CLIENT_ID }}" \
-e "entra_client_secret=${{ secrets.ENTRA_CLIENT_SECRET }}" \
-e "entra_admin_emails=${{ secrets.ENTRA_ADMIN_EMAILS }}" \
infra/development/site/deploy-playbook.yml infra/development/site/deploy-playbook.yml

View File

@@ -30,4 +30,8 @@ jobs:
-i infra/production/hosts.ini \ -i infra/production/hosts.ini \
-e "ansible_ssh_private_key_file=~/.ssh/deploy_key" \ -e "ansible_ssh_private_key_file=~/.ssh/deploy_key" \
-e "anthropic_api_key=${{ secrets.ANTHROPIC_API_KEY }}" \ -e "anthropic_api_key=${{ secrets.ANTHROPIC_API_KEY }}" \
-e "entra_tenant_id=${{ secrets.ENTRA_TENANT_ID }}" \
-e "entra_client_id=${{ secrets.ENTRA_CLIENT_ID }}" \
-e "entra_client_secret=${{ secrets.ENTRA_CLIENT_SECRET }}" \
-e "entra_admin_emails=${{ secrets.ENTRA_ADMIN_EMAILS }}" \
infra/production/site/deploy-playbook.yml infra/production/site/deploy-playbook.yml

View File

@@ -137,6 +137,9 @@ The platform ships a global chatbot avatar called **R42**, rendered as the Respe
* **PocketBase auto-cancellation is OFF.** Set in `src/lib/pb.js`; never re-enable. * **PocketBase auto-cancellation is OFF.** Set in `src/lib/pb.js`; never re-enable.
* **Go through `callLLM`.** Never call the Anthropic proxy directly; you lose retry, schema validation, and telemetry. * **Go through `callLLM`.** Never call the Anthropic proxy directly; you lose retry, schema validation, and telemetry.
* **AI token budget.** Truncation surfaces as `LLMTruncatedError` (`stop_reason: max_tokens`). For extraction, tighten the prompt's topic cap before raising `max_tokens`. * **AI token budget.** Truncation surfaces as `LLMTruncatedError` (`stop_reason: max_tokens`). For extraction, tighten the prompt's topic cap before raising `max_tokens`.
* **PocketBase migrations & the `_migrations` ledger (issue #18).** The deployed Labs/prod databases were originally provisioned WITHOUT `--migrationsDir` (schema came from `scripts/setup-pb-collections.mjs`), so their ledger started empty. `pb_migrations/1000000000_baseline_ledger_sync.js` marks the historical files as applied on such databases — never remove it, never rename an applied migration file (the ledger is filename-based), and give new migrations a timestamp that sorts after the existing ones. A failed migration aborts `pocketbase serve` → container crash-loop → 502 on every `/api/*` call; the deploy playbooks gate on `/api/health` to catch this.
* **OIDC provider config lives in a hook, not a migration.** `pb_hooks/entra_oidc.pb.js` reconciles the Entra provider from `ENTRA_*` env on every bootstrap + cron tick. Don't move provider credentials back into a one-shot migration — an apply while the env is empty would permanently disable OAuth2.
* **JSVM hook scope.** PocketBase runs each hook callback as an isolated program: top-level functions in a `*.pb.js` file are NOT in scope inside callbacks. Shared helpers live in `pb_hooks/utils.js` and are pulled in per-callback via `require(`${__hooks}/utils.js`)`.
## 13. 26-Week Per-User Curriculum System ## 13. 26-Week Per-User Curriculum System
The platform uses a **26-week perpetual curriculum cycle**. Every employee covers the knowledge base in focused, thematic weekly blocks, **starting whenever they enroll**. The platform uses a **26-week perpetual curriculum cycle**. Every employee covers the knowledge base in focused, thematic weekly blocks, **starting whenever they enroll**.

View File

@@ -127,6 +127,7 @@ when the PB binary starts.
- `docs/generation-spec.md` — learning content + micro-learning generation - `docs/generation-spec.md` — learning content + micro-learning generation
- `docs/curriculum-spec.md` — 26-week per-user curriculum engine - `docs/curriculum-spec.md` — 26-week per-user curriculum engine
- `docs/r42-spec.md` — the R42 chatbot - `docs/r42-spec.md` — the R42 chatbot
- `docs/auth-spec.md` — Azure (Entra ID) login: OIDC via PocketBase, provisioning, roles
- `docs/frontend-spec.md` — screens, routing, onboarding - `docs/frontend-spec.md` — screens, routing, onboarding
- `docs/gamification-spec.md` — points, badges, leaderboard - `docs/gamification-spec.md` — points, badges, leaderboard
- `micro-learning-spec.md` — micro-learning learner experience - `micro-learning-spec.md` — micro-learning learner experience

View File

@@ -46,6 +46,13 @@
} }
handle_errors { handle_errors {
# Don't mask API errors with the SPA shell — return a proper
# JSON error so the frontend can display a meaningful message.
@api path /api/*
respond @api `{"code":{err.status_code},"message":"Backend unavailable"}` {err.status_code} {
Content-Type application/json
}
rewrite * /index.html rewrite * /index.html
file_server file_server
} }

View File

@@ -12,7 +12,13 @@ services:
container_name: pocketbase-learning container_name: pocketbase-learning
restart: unless-stopped restart: unless-stopped
working_dir: /pb working_dir: /pb
env_file:
# Optional: absent .env.local must not block `docker compose up` (issue #18).
- path: .env.local
required: false
command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data", "--migrationsDir=/pb/pb_migrations"] command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data", "--migrationsDir=/pb/pb_migrations"]
ports:
- "8090:8090"
volumes: volumes:
- pb_data:/pb/pb_data - pb_data:/pb/pb_data
- ./pb_migrations:/pb/pb_migrations - ./pb_migrations:/pb/pb_migrations

117
docs/auth-spec.md Normal file
View File

@@ -0,0 +1,117 @@
# Authentication — Azure (Entra ID) login
> Implemented for issue #16. Replaces the previous client-side PIN login.
> Hardened for issue #18 (migratie-ledger-sync + env-onafhankelijke provider-reconciliatie).
## Doel
Elke gebruiker logt in met zijn Respellion **Microsoft (Azure Entra ID)**-account.
Bij de eerste login wordt automatisch een `team_members`-record aangemaakt. Er is
geen PIN, geen handmatige user-aanmaak en geen client-side wachtwoordcontrole meer.
## Architectuur in één oogopslag
```
Browser (SPA) PocketBase (auth) Entra ID
───────────── ───────────────── ────────
"Sign in with Microsoft"
└─ pb.collection('team_members')
.authWithOAuth2({provider:'oidc'})
──────────────────► opens OIDC popup ───► login.microsoftonline.com
token exchange ◄─── (server-side, client secret)
◄────────────────── auth record + token
pb.authStore (token in localStorage)
```
- **PocketBase is de OIDC-client.** De token-exchange en het client-secret blijven
server-side in PocketBase — er is geen aparte backend en geen client-side key.
- **`team_members` is een PocketBase `auth`-collection.** De record-`id` blijft de
user-identifier die alle voortgangscollecties (`test_results`,
`on_demand_attempts`, `micro_learning_completions`, `leaderboard`,
`theme_session_completions`) als `user_id` referencen.
- **Sessie** = `pb.authStore` (token in `localStorage`), niet langer een
`team_members.id` in `sessionStorage`.
## Belangrijke beslissingen (ADR)
| ADR | Beslissing | Reden |
|---|---|---|
| 001 | OIDC-provider tegen Entra v2-endpoints i.p.v. eigen MSAL-flow of header-trust | Sluit aan op "PocketBase = enige backend"; secret server-side; auto-provisioning gratis; werkt los van de perimeter-implementatie |
| 002 | `team_members` hergebruikt als auth-collection (zelfde naam) | Alle `user_id`-referenties blijven werken; minimale blast-radius |
| 003 | Provisioning + admin-rol via `pb_hooks/team_members.pb.js` | Rol-logica server-side, niet in de client |
| 004 | Admin-rol via e-mail-allowlist (`ENTRA_ADMIN_EMAILS`), re-synced elke login | Geen handmatig beheer; allowlist-wijziging werkt bij volgende login |
| 005 | API-rules → `@request.auth.id != ""` op alle app-collecties | Geen anonieme toegang meer; admins/users zijn beide geauthenticeerd |
| 006 | Baseline-ledger-sync migratie voor out-of-band geprovisionede DB's | Labs/prod draaide historisch zonder `--migrationsDir`; replay van de historie crashte PB (issue #18). De vroegst-sorterende migratie markeert de historie als applied wanneer schema bestaat maar de ledger leeg is |
| 007 | Migratie = structuur, hook = configuratie | De OIDC-provider wordt bij elke start (en per cron-minuut) gereconcilieerd vanuit `ENTRA_*` env door `pb_hooks/entra_oidc.pb.js`; een one-shot migratie die van deploy-time env afhangt kan OAuth2 anders permanent uitschakelen |
| 008 | Hook-helpers via `require(`${__hooks}/utils.js`)` | De JSVM draait elke hook-callback als geïsoleerd programma; top-level functies zijn níet in scope op call-time |
## Bestanden
| Bestand | Rol |
|---|---|
| `pb_migrations/1000000000_baseline_ledger_sync.js` | Detecteert een out-of-band geprovisionede DB (schema bestaat, `_migrations`-ledger leeg) en markeert de historische migraties als applied, zodat de replay niet crasht (issue #18). |
| `pb_migrations/1781000000_team_members_to_auth.js` | Converteert relation-velden naar text (data blijft behouden), dropt de oude PIN-collection en maakt `team_members` als auth-collection. Idempotent; provider wordt alleen als fast-path meegenomen als de env al aanwezig is. |
| `pb_migrations/1781000001_tighten_api_rules.js` | Zet alle niet-systeem-collecties op `@request.auth.id != ""`. |
| `pb_hooks/entra_oidc.pb.js` | Reconcilieert de OIDC-provider vanuit `ENTRA_*` env bij elke start + cron-tick (compare-before-save). |
| `pb_hooks/utils.js` | Gedeelde helpers (`resolveRole`, `reconcileEntraOidc`) — per callback binnenhalen via `require()`. |
| `pb_hooks/team_members.pb.js` | Auto-provisioning (`role`, `enrollment_status`, naam-fallback) + admin-rol re-sync. |
| `src/lib/azureAuth.js` | Canonieke, unit-geteste helpers (`OIDC_PROVIDER`, `resolveRole`, `parseAdminEmails`, `deriveName`). |
| `src/store/AppContext.jsx` | `loginWithAzure()` / `logout()` op basis van `pb.authStore` + `authRefresh()`. |
| `src/pages/Login.jsx` | "Sign in with Microsoft"-scherm (geen dropdown/PIN). |
| `src/components/admin/TeamManager.jsx` | Roster-beheer: rol wijzigen + verwijderen (geen aanmaken/PIN). |
> De rol-/allowlist-logica bestaat tweemaal: canoniek in `src/lib/azureAuth.js`
> (met tests) en herhaald in `pb_hooks/team_members.pb.js` (PocketBase JSVM kan de
> module niet importeren). **Houd ze in sync.**
## Configuratie (environment)
Gerenderd in `.env` door de Ansible deploy-playbooks en doorgegeven aan de
`pocketbase-learning`-container:
| Variabele | Betekenis |
|---|---|
| `ENTRA_TENANT_ID` | Entra tenant-id (of `common`). |
| `ENTRA_CLIENT_ID` | App-registration client-id. |
| `ENTRA_CLIENT_SECRET` | App-registration client-secret. |
| `ENTRA_ADMIN_EMAILS` | Komma-gescheiden e-mail-allowlist die `role=admin` krijgt, bv. `rve@respellion.nl,admin@respellion.nl`. |
Ansible-variabelen (vault): `entra_tenant_id`, `entra_client_id`,
`entra_client_secret`, `entra_admin_emails`.
## Entra App Registration (eenmalig, buiten de codebase)
1. **Redirect-URI (Web):** `https://<host>/api/oauth2-redirect`
- Labs: `https://learning-platform.labs.respellion.tech/api/oauth2-redirect`
- Lokaal dev: `http://localhost:8090/api/oauth2-redirect` (PB-origin)
2. **API permissions / scopes:** `openid`, `email`, `profile`.
3. Genereer een client-secret en zet de waarden in de Ansible-vault.
## Uitbreidingspunten
- **Silent SSO (geen tweede klik):** als bevestigd is dat de perimeter veilige,
niet-spoofbare identity-headers doorstuurt, kan een PocketBase-route die headers
vertrouwen en direct een token minten (ADR-004-alternatief).
- **Least-privilege rules:** schrijf/verwijder op de knowledge-authoring-collecties
(`topics`, `relations`, `content`, `sources`, `question_bank`,
`curriculum_versions`) verder beperken tot `@request.auth.role = "admin"`. Let op:
`micro_learnings` en `theme_sessions` worden door reguliere users geschreven
(generate-then-cache). Vereist runtime-verificatie.
- **Rol op Entra group-claims** i.p.v. e-mail-allowlist (aanpassing in
`pb_hooks/team_members.pb.js` + `src/lib/azureAuth.js`).
## Bekende aandachtspunten / go-live
- De OIDC-popup is een top-level navigatie naar `login.microsoftonline.com`; de
bestaande Caddy-CSP (`connect-src`) raakt dit niet. Verifieer alsnog bij de
eerste deploy.
- Verweesde voortgangsrecords van verwijderde (pre-Azure) users zijn acceptabel:
zonder geldig Entra-account kan niemand inloggen, dus die records zijn onbereikbaar.
- Credential-rotatie: update de `ENTRA_*` secrets (Gitea → Ansible `.env`) en
herstart/redeploy — `pb_hooks/entra_oidc.pb.js` reconcilieert de provider
automatisch bij elke start en elke cron-minuut. Geen handmatige re-apply meer.
- **Migratiebestanden nooit hernoemen nadat ze ergens applied zijn** — de
`_migrations`-ledger is filename-based; hernoemen triggert een re-apply.
- De deploy-playbooks bevatten een health-gate: als PocketBase na de deploy niet
healthy wordt, faalt de pipeline zichtbaar en print hij de containerlogs
(issue #18 bleef 2 weken onzichtbaar doordat de deploy "groen" was).

View File

@@ -5,7 +5,7 @@ import reactRefresh from 'eslint-plugin-react-refresh'
import { defineConfig, globalIgnores } from 'eslint/config' import { defineConfig, globalIgnores } from 'eslint/config'
export default defineConfig([ export default defineConfig([
globalIgnores(['dist', 'pb_migrations']), globalIgnores(['dist', 'pb_migrations', 'pb_hooks']),
{ {
files: ['**/*.{js,jsx}'], files: ['**/*.{js,jsx}'],
extends: [ extends: [

View File

@@ -4,6 +4,9 @@ networks:
learning-platform: learning-platform:
external: true external: true
volumes:
pb_data:
services: services:
learning-platform: learning-platform:
image: git.labs.respellion.tech/respellion/learning-platform/learning-platform:latest image: git.labs.respellion.tech/respellion/learning-platform/learning-platform:latest
@@ -18,11 +21,18 @@ services:
image: ghcr.io/muchobien/pocketbase:latest image: ghcr.io/muchobien/pocketbase:latest
container_name: pocketbase-learning container_name: pocketbase-learning
restart: unless-stopped restart: unless-stopped
command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data"] working_dir: /pb
command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data", "--migrationsDir=/pb/pb_migrations", "--hooksDir=/pb/pb_hooks"]
environment:
# Azure Entra ID (OIDC) — consumed by pb_migrations/1781000000 and
# pb_hooks/team_members.pb.js. Rendered into .env by the deploy playbook.
- ENTRA_TENANT_ID=${ENTRA_TENANT_ID}
- ENTRA_CLIENT_ID=${ENTRA_CLIENT_ID}
- ENTRA_CLIENT_SECRET=${ENTRA_CLIENT_SECRET}
- ENTRA_ADMIN_EMAILS=${ENTRA_ADMIN_EMAILS}
volumes: volumes:
- pb_data:/pb/pb_data - pb_data:/pb/pb_data
- ./pb_migrations:/pb/pb_migrations
- ./pb_hooks:/pb/pb_hooks
networks: networks:
- learning-platform - learning-platform
volumes:
pb_data:

View File

@@ -36,11 +36,27 @@
src: compose.yml src: compose.yml
dest: "{{ dest_dir }}/compose.yml" dest: "{{ dest_dir }}/compose.yml"
- name: Copy pb_migrations to destination
ansible.builtin.copy:
src: ../../../pb_migrations
dest: "{{ dest_dir }}/"
mode: "0755"
- name: Copy pb_hooks to destination
ansible.builtin.copy:
src: ../../../pb_hooks
dest: "{{ dest_dir }}/"
mode: "0755"
- name: Create .env file for secrets - name: Create .env file for secrets
ansible.builtin.copy: ansible.builtin.copy:
dest: "{{ dest_dir }}/.env" dest: "{{ dest_dir }}/.env"
content: | content: |
ANTHROPIC_API_KEY={{ anthropic_api_key | default('') }} ANTHROPIC_API_KEY={{ anthropic_api_key | default('') }}
ENTRA_TENANT_ID={{ entra_tenant_id | default('') }}
ENTRA_CLIENT_ID={{ entra_client_id | default('') }}
ENTRA_CLIENT_SECRET={{ entra_client_secret | default('') }}
ENTRA_ADMIN_EMAILS={{ entra_admin_emails | default('') }}
mode: '0600' mode: '0600'
- name: Pull latest image - name: Pull latest image
@@ -56,3 +72,31 @@
state: present state: present
files: compose.yml files: compose.yml
recreate: always recreate: always
# A failed migration aborts `pocketbase serve` and the container crash-loops
# while `docker compose up` still reports success (issue #18). Gate the
# deploy on PocketBase actually serving its health endpoint.
- name: Wait for PocketBase to become healthy
ansible.builtin.command: docker exec pocketbase-learning wget -q -O - http://127.0.0.1:8090/api/health
register: pb_health
until: pb_health.rc == 0
retries: 18
delay: 5
changed_when: false
ignore_errors: yes
- name: Collect PocketBase logs for diagnosis
ansible.builtin.command: docker logs --tail 80 pocketbase-learning
register: pb_logs
when: pb_health is failed
changed_when: false
failed_when: false
- name: Abort deploy — PocketBase is not healthy
ansible.builtin.fail:
msg: |
PocketBase did not become healthy after the deploy (health endpoint unreachable).
Recent container logs:
{{ pb_logs.stdout | default('') }}
{{ pb_logs.stderr | default('') }}
when: pb_health is failed

View File

@@ -22,9 +22,17 @@ services:
container_name: pocketbase-learning container_name: pocketbase-learning
restart: unless-stopped restart: unless-stopped
working_dir: /pb working_dir: /pb
command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data", "--migrationsDir=/pb/pb_migrations"] command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data", "--migrationsDir=/pb/pb_migrations", "--hooksDir=/pb/pb_hooks"]
environment:
# Azure Entra ID (OIDC) — consumed by pb_migrations/1781000000 and
# pb_hooks/team_members.pb.js. Rendered into .env by the deploy playbook.
- ENTRA_TENANT_ID=${ENTRA_TENANT_ID}
- ENTRA_CLIENT_ID=${ENTRA_CLIENT_ID}
- ENTRA_CLIENT_SECRET=${ENTRA_CLIENT_SECRET}
- ENTRA_ADMIN_EMAILS=${ENTRA_ADMIN_EMAILS}
volumes: volumes:
- pb_data:/pb/pb_data - pb_data:/pb/pb_data
- ./pb_migrations:/pb/pb_migrations - ./pb_migrations:/pb/pb_migrations
- ./pb_hooks:/pb/pb_hooks
networks: networks:
- learning-platform - learning-platform

View File

@@ -42,11 +42,21 @@
dest: "{{ dest_dir }}/" dest: "{{ dest_dir }}/"
mode: "0755" mode: "0755"
- name: Copy pb_hooks to destination
ansible.builtin.copy:
src: ../../../pb_hooks
dest: "{{ dest_dir }}/"
mode: "0755"
- name: Create .env file for secrets - name: Create .env file for secrets
ansible.builtin.copy: ansible.builtin.copy:
dest: "{{ dest_dir }}/.env" dest: "{{ dest_dir }}/.env"
content: | content: |
ANTHROPIC_API_KEY={{ anthropic_api_key | default('') }} ANTHROPIC_API_KEY={{ anthropic_api_key | default('') }}
ENTRA_TENANT_ID={{ entra_tenant_id | default('') }}
ENTRA_CLIENT_ID={{ entra_client_id | default('') }}
ENTRA_CLIENT_SECRET={{ entra_client_secret | default('') }}
ENTRA_ADMIN_EMAILS={{ entra_admin_emails | default('') }}
mode: '0600' mode: '0600'
- name: Pull latest image - name: Pull latest image
@@ -62,3 +72,31 @@
state: present state: present
files: compose.yml files: compose.yml
recreate: always recreate: always
# A failed migration aborts `pocketbase serve` and the container crash-loops
# while `docker compose up` still reports success (issue #18). Gate the
# deploy on PocketBase actually serving its health endpoint.
- name: Wait for PocketBase to become healthy
ansible.builtin.command: docker exec pocketbase-learning wget -q -O - http://127.0.0.1:8090/api/health
register: pb_health
until: pb_health.rc == 0
retries: 18
delay: 5
changed_when: false
ignore_errors: yes
- name: Collect PocketBase logs for diagnosis
ansible.builtin.command: docker logs --tail 80 pocketbase-learning
register: pb_logs
when: pb_health is failed
changed_when: false
failed_when: false
- name: Abort deploy — PocketBase is not healthy
ansible.builtin.fail:
msg: |
PocketBase did not become healthy after the deploy (health endpoint unreachable).
Recent container logs:
{{ pb_logs.stdout | default('') }}
{{ pb_logs.stderr | default('') }}
when: pb_health is failed

34
pb_hooks/entra_oidc.pb.js Normal file
View File

@@ -0,0 +1,34 @@
/// <reference path="../pb_data/types.d.ts" />
//
// Issue #18 — Reconcile the Entra (Azure) OIDC provider from the environment.
//
// The team_members→auth migration (pb_migrations/1781000000) is structure-only
// and runs exactly once. Provider CONFIGURATION lives here instead, so that:
//
// * an environment whose migration applied while the ENTRA_* secrets were
// absent gets its provider enabled on the next startup (no re-apply),
// * rotating ENTRA_CLIENT_SECRET / changing the tenant only requires new env
// values and a container restart,
// * a fresh database gets its provider on the first cron tick right after
// the migrations created the collection (onBootstrap fires BEFORE the
// migrations run — there is no post-migration lifecycle hook in the JSVM,
// hence the cron fallback).
//
// The reconciler compares before saving, so both hooks are cheap no-ops when
// everything is already in sync.
onBootstrap((e) => {
e.next();
const { reconcileEntraOidc } = require(`${__hooks}/utils.js`);
// reconcileEntraOidc logs a warn-once itself when the ENTRA_* env is absent.
console.log("entra_oidc reconcile (bootstrap): " + reconcileEntraOidc(e.app));
});
cronAdd("entraOidcReconcile", "* * * * *", () => {
const { reconcileEntraOidc } = require(`${__hooks}/utils.js`);
const result = reconcileEntraOidc($app);
// Only log state changes — this tick runs every minute.
if (result === "updated") {
console.log("entra_oidc reconcile (cron): OIDC provider (re)configured from ENTRA_* env");
}
});

View File

@@ -0,0 +1,55 @@
/// <reference path="../pb_data/types.d.ts" />
//
// Issue #16 — Auto-provisioning & role assignment for Azure (Entra ID) users.
//
// PocketBase auto-creates a `team_members` auth record on the first OIDC login
// (name is filled from the OIDC `name` claim via the collection's mappedFields).
// These hooks add the application-specific bits:
//
// * default `role` from an admin allow-list (env ENTRA_ADMIN_EMAILS),
// * default `enrollment_status = "not_started"` so new users go through the
// existing onboarding screen,
// * re-sync the admin role on every login so allow-list changes take effect
// without manual edits.
//
// The allow-list is a comma-separated list of e-mail addresses, e.g.:
// ENTRA_ADMIN_EMAILS=rve@respellion.nl,admin@respellion.nl
//
// resolveRole itself lives in pb_hooks/utils.js and is pulled in per-callback
// via require() — PocketBase's JSVM runs each hook callback below as its own
// isolated program, so a shared top-level function here would not be in scope
// at call time. See pb_hooks/utils.js for details. Keep the logic in sync with
// src/lib/azureAuth.js (resolveRole / parseAdminEmails), which carries the
// canonical, unit-tested version for the frontend/tests.
// On creation (first login): set defaults before the record is persisted.
onRecordCreate(function (e) {
const { resolveRole } = require(`${__hooks}/utils.js`);
const email = e.record.get("email") || "";
e.record.set("role", resolveRole(email));
if (!e.record.get("enrollment_status")) {
e.record.set("enrollment_status", "not_started");
}
// Fallback name when the IdP supplied no `name` claim.
if (!e.record.get("name")) {
e.record.set("name", email ? email.split("@")[0] : "Onbekend");
}
e.next();
}, "team_members");
// On every successful auth (incl. OIDC): keep the admin role in sync with the
// allow-list, so promoting/demoting an admin only requires an env change.
onRecordAuthRequest(function (e) {
const { resolveRole } = require(`${__hooks}/utils.js`);
const email = e.record.get("email") || "";
const want = resolveRole(email);
if (e.record.get("role") !== want) {
e.record.set("role", want);
e.app.save(e.record);
}
e.next();
}, "team_members");

104
pb_hooks/utils.js Normal file
View File

@@ -0,0 +1,104 @@
/// <reference path="../pb_data/types.d.ts" />
//
// Shared helpers for pb_hooks/*.pb.js callbacks.
//
// PocketBase's JSVM serializes and runs each registered hook callback as its
// own isolated program, so a plain top-level function declared in a *.pb.js
// file is NOT in scope inside a callback at call time. Reusable helpers must
// instead live in a plain (non *.pb.js, so it isn't auto-loaded as a hook)
// module and be pulled in per-callback via require(`${__hooks}/utils.js`).
// See: https://github.com/pocketbase/pocketbase/discussions/3599
//
// Loaded modules use a shared registry across callback invocations, so keep
// this file stateless. (Deliberate exception: the warn-once latch below, which
// exists precisely BECAUSE the registry is shared — it dedupes the env-missing
// warning across the bootstrap hook and the per-minute cron tick.)
//
// Keep resolveRole in sync with src/lib/azureAuth.js's resolveRole (the
// canonical, unit-tested version used by the frontend).
let warnedEnvMissing = false;
module.exports = {
/**
* Resolve a user's role from their e-mail and the ENTRA_ADMIN_EMAILS allow-list.
* @param {string} email
* @returns {"admin"|"user"}
*/
resolveRole: function (email) {
const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase();
const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean);
return allow.indexOf(String(email || "").toLowerCase()) !== -1 ? "admin" : "user";
},
/**
* Reconcile the Entra (Azure) OIDC provider on the team_members auth
* collection from the ENTRA_* environment variables (issue #18).
*
* Idempotent: compares the desired provider config against the stored one
* and only saves when something actually changed, so it is safe to call on
* every bootstrap and cron tick. Keeping this OUT of the one-shot migration
* means late or rotated secrets are picked up on the next start/tick without
* any manual re-apply.
*
* @param {core.App} app
* @returns {"collection-missing"|"not-auth-yet"|"env-missing"|"in-sync"|"updated"}
*/
reconcileEntraOidc: function (app) {
let col;
try {
col = app.findCollectionByNameOrId("team_members");
} catch (_) {
return "collection-missing"; // migration has not created it yet
}
if (col.type !== "auth") {
return "not-auth-yet"; // pre-conversion PIN-era collection
}
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
const clientId = $os.getenv("ENTRA_CLIENT_ID") || "";
const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET") || "";
if (!clientId || !clientSecret) {
if (!warnedEnvMissing) {
warnedEnvMissing = true;
console.log(
"WARN entra_oidc: ENTRA_CLIENT_ID / ENTRA_CLIENT_SECRET not set — Microsoft login stays " +
"disabled until the env vars are provided (they are reconciled automatically on startup)."
);
}
return "env-missing";
}
warnedEnvMissing = false; // env restored — re-arm the warning for future rotations
const desired = {
name: "oidc",
clientId: clientId,
clientSecret: clientSecret,
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
displayName: "Microsoft",
pkce: true,
};
const providers = (col.oauth2 && col.oauth2.providers) || [];
const current = providers.length === 1 ? providers[0] : null;
const inSync = !!current &&
col.oauth2.enabled === true &&
current.name === desired.name &&
current.clientId === desired.clientId &&
current.clientSecret === desired.clientSecret &&
current.authURL === desired.authURL &&
current.tokenURL === desired.tokenURL &&
current.userInfoURL === desired.userInfoURL &&
current.displayName === desired.displayName;
if (inSync) {
return "in-sync";
}
col.oauth2.enabled = true;
col.oauth2.providers = [desired];
app.save(col);
return "updated";
},
};

View File

@@ -0,0 +1,138 @@
/// <reference path="../pb_data/types.d.ts" />
//
// Issue #18 — Baseline ledger sync for out-of-band provisioned databases.
//
// The Labs/production PocketBase originally ran WITHOUT --migrationsDir: its
// schema was created by scripts/setup-pb-collections.mjs / the admin UI, so its
// _migrations ledger is empty. When the migrations dir was mounted for the
// first time (Azure SSO, PR #17), PocketBase tried to replay the entire
// migration history against that existing schema and crash-looped on the very
// first file ("Collection name must be unique").
//
// This migration sorts before every other file. When it detects that the
// legacy schema already exists but the ledger has never tracked it, it marks
// the historical migrations below as applied so the replay is skipped and the
// chain continues with the genuinely new migrations (team_members_to_auth,
// tighten_api_rules). On fresh databases and on databases that already have a
// populated ledger it is a no-op.
//
// NOTE for future agents: never rename a migration file after it has been
// applied anywhere — the ledger is filename-based. New migrations must sort
// after 1781100001 and be appended to environments through a normal deploy.
const HISTORICAL_MIGRATIONS = [
"1778948471_created_content.js",
"1778948471_created_quiz_banks.js",
"1778948471_created_relations.js",
"1778948471_created_sources.js",
"1778948471_created_team_members.js",
"1778948471_created_topics.js",
"1778948472_created_leaderboard.js",
"1778948472_created_learn_progress.js",
"1778948472_created_quiz_cache.js",
"1778948472_created_quiz_results.js",
"1778948472_created_settings.js",
"1778954289_created_test_col2.js",
"1778954310_deleted_relations.js",
"1778954310_deleted_topics.js",
"1778954310_deleted_users.js",
"1778954311_deleted_content.js",
"1778954311_deleted_leaderboard.js",
"1778954311_deleted_learn_progress.js",
"1778954311_deleted_quiz_banks.js",
"1778954311_deleted_quiz_cache.js",
"1778954311_deleted_quiz_results.js",
"1778954311_deleted_settings.js",
"1778954311_deleted_sources.js",
"1778954311_deleted_team_members.js",
"1778954311_deleted_test_col2.js",
"1778954317_created_content.js",
"1778954317_created_leaderboard.js",
"1778954317_created_learn_progress.js",
"1778954317_created_quiz_banks.js",
"1778954317_created_quiz_cache.js",
"1778954317_created_quiz_results.js",
"1778954317_created_relations.js",
"1778954317_created_settings.js",
"1778954317_created_sources.js",
"1778954317_created_team_members.js",
"1778954317_created_topics.js",
"1779005271_created_test_col3.js",
"1779005289_created_test_col4.js",
"1779005309_deleted_content.js",
"1779005309_deleted_learn_progress.js",
"1779005309_deleted_quiz_banks.js",
"1779005309_deleted_quiz_cache.js",
"1779005309_deleted_quiz_results.js",
"1779005309_deleted_relations.js",
"1779005309_deleted_sources.js",
"1779005309_deleted_team_members.js",
"1779005309_deleted_topics.js",
"1779005310_deleted_leaderboard.js",
"1779005310_deleted_settings.js",
"1779005310_deleted_test_col3.js",
"1779005310_deleted_test_col4.js",
"1779005316_created_content.js",
"1779005316_created_quiz_banks.js",
"1779005316_created_relations.js",
"1779005316_created_sources.js",
"1779005316_created_topics.js",
"1779005317_created_leaderboard.js",
"1779005317_created_learn_progress.js",
"1779005317_created_quiz_cache.js",
"1779005317_created_quiz_results.js",
"1779005317_created_settings.js",
"1779005317_created_team_members.js",
"1779127586_created_curriculum.js",
"1779127759_collections_snapshot.js",
"1779200000_updated_sources.js",
"1780000001_updated_topics.js",
"1780500000_updated_topics_relevance_locked.js",
"1780500001_normalize_relation_types.js",
"1780500002_created_llm_calls.js",
"1780600000_curriculum_v2.js",
"1780700000_sources_progress.js",
"1780800000_created_micro_learnings.js",
"1780800001_deleted_legacy_collections.js",
"1780800002_update_micro_learnings_rules.js",
"1780900000_team_members_enrollment.js",
"1780900001_created_test_results.js",
"1781000000_created_theme_sessions.js",
"1781100000_created_question_bank.js",
"1781100001_created_on_demand_attempts.js",
];
migrate((app) => {
// Fresh database? (no legacy schema) -> let the normal chain run.
try {
app.findCollectionByNameOrId("content");
} catch (_) {
return;
}
// Ledger already tracks the history? -> normally migrated DB, nothing to do.
const probe = new DynamicModel({ count: 0 });
app.db()
.newQuery("SELECT COUNT(*) AS count FROM _migrations WHERE file = {:file}")
.bind({ file: "1778948471_created_content.js" })
.one(probe);
if (probe.count > 0) {
return;
}
// Out-of-band provisioned database: schema exists, ledger is empty.
// Mark the historical migrations as applied so they are not replayed.
const applied = Date.now();
for (const file of HISTORICAL_MIGRATIONS) {
app.db()
.newQuery("INSERT OR IGNORE INTO _migrations (file, applied) VALUES ({:file}, {:applied})")
.bind({ file: file, applied: applied })
.execute();
}
console.log(
"baseline_ledger_sync: detected out-of-band provisioned database — marked " +
HISTORICAL_MIGRATIONS.length + " historical migrations as applied"
);
}, (_app) => {
// Down: intentionally a no-op. The ledger rows describe environment-specific
// bookkeeping; removing them would re-trigger the replay this fix prevents.
});

View File

@@ -0,0 +1,352 @@
/// <reference path="../pb_data/types.d.ts" />
//
// Issue #16 / #18 — Azure (Entra ID) login.
//
// Replaces the PIN-based `base` collection `team_members` with a PocketBase
// `auth` collection that authenticates against Azure Entra ID via OIDC.
//
// The existing PIN-based team_members are intentionally dropped (sign-off from
// the product owner — no migration of current users required). The knowledge
// base, generated tests and micro-learnings live in OTHER collections and are
// left completely untouched by this migration.
//
// This migration is STRUCTURE ONLY and does not depend on the environment:
// the OIDC provider credentials (ENTRA_TENANT_ID / ENTRA_CLIENT_ID /
// ENTRA_CLIENT_SECRET) are reconciled into the collection on every startup by
// pb_hooks/entra_oidc.pb.js. That keeps the one-shot migration deterministic:
// applying it while the secrets are absent can no longer permanently disable
// OAuth2 (issue #18). As a fast path the provider is also attached here when
// the env vars are already present at apply time.
migrate((app) => {
// Idempotency guard: if team_members is already an auth collection (e.g. the
// conversion happened through an earlier partial rollout), leave it alone.
let existing = null;
try {
existing = app.findCollectionByNameOrId("team_members");
} catch (_) {
existing = null; // collection absent — nothing to convert, only to create
}
if (existing && existing.type === "auth") {
console.log("team_members_to_auth: team_members is already an auth collection — skipping conversion.");
return;
}
// 1. Detach relation fields that point at team_members. PocketBase refuses
// to delete a collection that other collections relate to, so before we
// can drop the old PIN-based team_members we convert those relations into
// plain text fields (the id is stored as text — consistent with how
// user_id is stored in test_results / on_demand_attempts). The column
// values are preserved by the conversion.
const deps = [
{ name: "micro_learning_completions", relId: "rel_team_member_id", textId: "txt_mlc_team_member" },
{ name: "theme_session_completions", relId: "rel_tsc_team_member", textId: "txt_tsc_team_member" },
];
for (const dep of deps) {
let c = null;
try {
c = app.findCollectionByNameOrId(dep.name);
} catch (_) {
console.log("team_members_to_auth: " + dep.name + " does not exist yet — nothing to detach.");
continue;
}
if (!c.fields.getById(dep.relId)) {
console.log("team_members_to_auth: " + dep.name + "." + dep.relId + " already detached — skipping.");
continue;
}
// PocketBase diffs fields by ID, so swapping the relation field for a text
// field drops and recreates the underlying column. Back the values up and
// restore them after the schema save — the ids must survive (issue #18).
const backup = "_issue18_tm_" + dep.name;
app.db().newQuery("DROP TABLE IF EXISTS `" + backup + "`").execute();
app.db().newQuery(
"CREATE TABLE `" + backup + "` AS SELECT `id`, `team_member_id` AS `v` FROM `" + dep.name + "`"
).execute();
// Drop any index that references the team_member_id column (it is rebuilt
// on the text column below).
c.indexes = (c.indexes || []).filter((idx) => idx.indexOf("team_member_id") === -1);
// Replace the relation field with a text field of the same name.
c.fields.removeById(dep.relId);
c.fields.add(new Field({
type: "text",
id: dep.textId,
name: "team_member_id",
required: false,
min: 0,
max: 0,
}));
app.save(c);
app.db().newQuery(
"UPDATE `" + dep.name + "` SET `team_member_id` = COALESCE(" +
"(SELECT `v` FROM `" + backup + "` WHERE `" + backup + "`.`id` = `" + dep.name + "`.`id`), '')"
).execute();
app.db().newQuery("DROP TABLE `" + backup + "`").execute();
}
// Recreate the unique (team_member_id, session_week) guard on the text column.
try {
const tsc = app.findCollectionByNameOrId("theme_session_completions");
const idx = "CREATE UNIQUE INDEX `idx_theme_session_completions_user_week` ON `theme_session_completions` (`team_member_id`, `session_week`)";
if ((tsc.indexes || []).indexOf(idx) === -1) {
tsc.indexes.push(idx);
app.save(tsc);
}
} catch (_) {
console.log("team_members_to_auth: theme_session_completions does not exist yet — no index to rebuild.");
}
// 2. Drop the old PIN-based team_members (now unreferenced). NOT wrapped in
// a try/catch: if this fails there is an unknown relation left and the
// migration must fail loudly instead of masking the error (issue #18).
if (existing) {
app.delete(existing);
}
// Fast path: attach the OIDC provider right away when the credentials are
// already present at apply time. When they are absent the collection is
// created without a provider and pb_hooks/entra_oidc.pb.js configures it on
// the next startup / cron tick once the ENTRA_* env vars are supplied.
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
const clientId = $os.getenv("ENTRA_CLIENT_ID") || "";
const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET") || "";
const oidcProviders = (clientId && clientSecret) ? [
{
name: "oidc",
clientId: clientId,
clientSecret: clientSecret,
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
displayName: "Microsoft",
pkce: true,
},
] : [];
if (oidcProviders.length === 0) {
console.log(
"team_members_to_auth: ENTRA_CLIENT_ID / ENTRA_CLIENT_SECRET not set — creating the auth " +
"collection without an OIDC provider. pb_hooks/entra_oidc.pb.js will configure the provider " +
"automatically once the env vars are present (no re-apply needed)."
);
}
// 3. Recreate `team_members` as an auth collection (same name → all existing
// `user_id` references in test_results, on_demand_attempts,
// micro_learning_completions, leaderboard, theme_session_completions keep
// working unchanged).
const collection = new Collection({
type: "auth",
name: "team_members",
system: false,
// Access rules: every legitimate user is authenticated (Azure-gated +
// OIDC). Profiles are readable by any authenticated user (leaderboard,
// dashboard); a user may only update their own record (onboarding flips
// enrollment_status). Creation/deletion happen via OAuth2 / superuser only.
listRule: '@request.auth.id != ""',
viewRule: '@request.auth.id != ""',
createRule: null,
updateRule: '@request.auth.id = id',
deleteRule: null,
authRule: "",
manageRule: null,
// Disable password / OTP / MFA — login is exclusively via Entra OIDC.
passwordAuth: { enabled: false, identityFields: ["email"] },
otp: { enabled: false, duration: 180, length: 8 },
mfa: { enabled: false, duration: 600, rule: "" },
oauth2: {
enabled: oidcProviders.length > 0,
// Map the OIDC userinfo claims onto our fields.
mappedFields: {
id: "",
name: "name",
username: "",
avatarURL: "",
},
providers: oidcProviders,
},
fields: [
// ── System auth fields ──────────────────────────────────────────────
{
"autogeneratePattern": "[a-z0-9]{15}",
"hidden": false,
"id": "text3208210256",
"max": 15,
"min": 15,
"name": "id",
"pattern": "^[a-z0-9]+$",
"presentable": false,
"primaryKey": true,
"required": true,
"system": true,
"type": "text"
},
{
"cost": 0,
"hidden": true,
"id": "password901924565",
"max": 0,
"min": 8,
"name": "password",
"pattern": "",
"presentable": false,
"required": true,
"system": true,
"type": "password"
},
{
"autogeneratePattern": "[a-zA-Z0-9]{50}",
"hidden": true,
"id": "text2504183744",
"max": 60,
"min": 30,
"name": "tokenKey",
"pattern": "",
"presentable": false,
"primaryKey": false,
"required": true,
"system": true,
"type": "text"
},
{
"exceptDomains": null,
"hidden": false,
"id": "email3885137012",
"name": "email",
"onlyDomains": null,
"presentable": false,
"required": true,
"system": true,
"type": "email"
},
{
"hidden": false,
"id": "bool1547992806",
"name": "emailVisibility",
"presentable": false,
"required": false,
"system": true,
"type": "bool"
},
{
"hidden": false,
"id": "bool256245529",
"name": "verified",
"presentable": false,
"required": false,
"system": true,
"type": "bool"
},
// ── Application fields ───────────────────────────────────────────────
{
"autogeneratePattern": "",
"hidden": false,
"id": "text1579384326",
"max": 255,
"min": 0,
"name": "name",
"pattern": "",
"presentable": false,
"primaryKey": false,
"required": false,
"system": false,
"type": "text"
},
{
"autogeneratePattern": "",
"hidden": false,
"id": "text1466534506",
"max": 0,
"min": 0,
"name": "role",
"pattern": "",
"presentable": false,
"primaryKey": false,
"required": false,
"system": false,
"type": "text"
},
{
"hidden": false,
"id": "date_curriculum_started_at",
"name": "curriculum_started_at",
"presentable": false,
"required": false,
"system": false,
"type": "date"
},
{
"autogeneratePattern": "",
"hidden": false,
"id": "text_enrollment_status",
"max": 0,
"min": 0,
"name": "enrollment_status",
"pattern": "",
"presentable": false,
"primaryKey": false,
"required": false,
"system": false,
"type": "text"
},
{
"hidden": false,
"id": "autodate2990389176",
"name": "created",
"onCreate": true,
"onUpdate": false,
"presentable": false,
"system": false,
"type": "autodate"
},
{
"hidden": false,
"id": "autodate3332085495",
"name": "updated",
"onCreate": true,
"onUpdate": true,
"presentable": false,
"system": false,
"type": "autodate"
}
],
indexes: [
"CREATE UNIQUE INDEX `idx_tokenKey_team_members` ON `team_members` (`tokenKey`)",
"CREATE UNIQUE INDEX `idx_email_team_members` ON `team_members` (`email`) WHERE `email` != ''"
],
});
app.save(collection);
}, (app) => {
// Down: drop the auth collection and recreate the original PIN-based base
// collection (without data — the original records are gone).
try {
const c = app.findCollectionByNameOrId("team_members");
app.delete(c);
} catch (_) { /* already gone */ }
const base = new Collection({
type: "base",
name: "team_members",
listRule: "",
viewRule: "",
createRule: "",
updateRule: "",
deleteRule: "",
fields: [
{ "type": "text", "name": "id", "system": true, "primaryKey": true, "required": true,
"min": 15, "max": 15, "pattern": "^[a-z0-9]+$", "autogeneratePattern": "[a-z0-9]{15}",
"id": "text3208210256" },
{ "type": "text", "name": "name", "required": true, "min": 0, "max": 0, "id": "text1579384326" },
{ "type": "text", "name": "pin", "required": false, "min": 0, "max": 0, "id": "text3045404147" },
{ "type": "text", "name": "role", "required": false, "min": 0, "max": 0, "id": "text1466534506" },
{ "type": "date", "name": "curriculum_started_at", "required": false, "id": "date_curriculum_started_at" },
{ "type": "text", "name": "enrollment_status", "required": false, "min": 0, "max": 0, "id": "text_enrollment_status" },
],
});
app.save(base);
});

View File

@@ -0,0 +1,57 @@
/// <reference path="../pb_data/types.d.ts" />
//
// Issue #16 — Lock down API rules now that authentication is real.
//
// Before Azure login the app had no real auth, so every collection rule was
// "" (public). With mandatory Entra OIDC login, every legitimate caller is
// authenticated, so we require `@request.auth.id != ""` on all non-system,
// non-`team_members` collections.
//
// This intentionally does NOT delete or restructure any data — it only changes
// access rules. The knowledge base, generated tests and micro-learnings stay
// exactly as they are; they simply become unreadable to anonymous callers.
//
// `team_members` is configured by its own migration (1781000000) and skipped
// here. System collections (`_superusers`, `_mfas`, `_otps`, …) are skipped.
//
// NOTE (follow-up): for least-privilege we could further restrict write/delete
// on the knowledge-authoring collections (topics, relations, content, sources,
// question_bank, curriculum_versions) to `@request.auth.role = "admin"`. That
// is deferred because micro_learnings / theme_sessions are written by regular
// users (generate-then-cache) and the full matrix needs runtime verification.
// The trust boundary today is: perimeter Azure gate + authenticated employees.
const AUTHED = '@request.auth.id != ""';
migrate((app) => {
const collections = app.findAllCollections();
for (const c of collections) {
if (c.system) continue;
if (c.name === "team_members") continue;
c.viewRule = AUTHED;
c.listRule = AUTHED;
// View collections only support list/view rules.
if (c.type !== "view") {
c.createRule = AUTHED;
c.updateRule = AUTHED;
c.deleteRule = AUTHED;
}
app.save(c);
}
}, (app) => {
// Down: restore fully public rules (the pre-Azure baseline).
const collections = app.findAllCollections();
for (const c of collections) {
if (c.system) continue;
if (c.name === "team_members") continue;
c.viewRule = "";
c.listRule = "";
if (c.type !== "view") {
c.createRule = "";
c.updateRule = "";
c.deleteRule = "";
}
app.save(c);
}
});

View File

@@ -102,17 +102,21 @@ const COLLECTIONS = [
...AUTODATE_FIELDS, ...AUTODATE_FIELDS,
], ],
}, },
// NOTE: `team_members` is an AUTH collection owned by the migration
// pb_migrations/1781000000_team_members_to_auth.js (Azure/Entra ID login).
// Migrations run on PocketBase start — before this script — so the entry
// below is only a fallback for environments where migrations have not run;
// when the auth collection already exists, this create is skipped.
{ {
name: 'team_members', name: 'team_members',
type: 'base', type: 'auth',
...OPEN_RULES, ...OPEN_RULES,
passwordAuth: { enabled: false, identityFields: ['email'] },
fields: [ fields: [
{ name: 'name', type: 'text', required: true }, { name: 'name', type: 'text', required: false },
{ name: 'pin', type: 'text', required: false },
{ name: 'role', type: 'text', required: false }, { name: 'role', type: 'text', required: false },
{ name: 'curriculum_started_at', type: 'date', required: false }, { name: 'curriculum_started_at', type: 'date', required: false },
{ name: 'enrollment_status', type: 'text', required: false }, { name: 'enrollment_status', type: 'text', required: false },
...AUTODATE_FIELDS,
], ],
}, },
{ {

View File

@@ -1,19 +1,20 @@
import { useState, useEffect } from 'react'; import { useState, useEffect } from 'react';
import { UserPlus, Trash2, Edit2, Shield, User, CheckCircle } from 'lucide-react'; import { Trash2, Shield, User, CheckCircle, Info } from 'lucide-react';
import Card from '../ui/Card'; import Card from '../ui/Card';
import Button from '../ui/Button';
import Input from '../ui/Input';
import Tag from '../ui/Tag'; import Tag from '../ui/Tag';
import * as db from '../../lib/db'; import * as db from '../../lib/db';
import { pb } from '../../lib/pb'; import { pb } from '../../lib/pb';
import { useApp } from '../../store/AppContext'; import { useApp } from '../../store/AppContext';
// Users are provisioned automatically on first Azure (Entra ID) login — admins
// no longer create them by hand. This panel lets an admin review the roster,
// switch a member between user/admin, and remove members. The admin role is
// also re-synced from the ENTRA_ADMIN_EMAILS allow-list on every login (see
// pb_hooks/team_members.pb.js), so a manual change here can be overridden on
// the member's next sign-in if their e-mail is on/off that list.
const TeamManager = () => { const TeamManager = () => {
const { state } = useApp(); const { state } = useApp();
const [users, setUsers] = useState([]); const [users, setUsers] = useState([]);
const [isEditing, setIsEditing] = useState(false);
const [editingId, setEditingId] = useState(null);
const [formData, setFormData] = useState({ name: '', role: 'user', pin: '' });
const [message, setMessage] = useState(''); const [message, setMessage] = useState('');
const loadUsers = async () => { const loadUsers = async () => {
@@ -23,29 +24,16 @@ const TeamManager = () => {
useEffect(() => { loadUsers(); }, []); useEffect(() => { loadUsers(); }, []);
const handleSave = async (e) => { const flash = (msg) => {
e.preventDefault(); setMessage(msg);
if (!formData.name || !formData.pin) return;
if (editingId) {
await db.updateTeamMember(editingId, { name: formData.name, role: formData.role, pin: formData.pin });
setMessage('User updated successfully.');
} else {
await db.addTeamMember({ name: formData.name, role: formData.role, pin: formData.pin });
setMessage('User added successfully.');
}
await loadUsers();
setFormData({ name: '', role: 'user', pin: '' });
setIsEditing(false);
setEditingId(null);
setTimeout(() => setMessage(''), 3000); setTimeout(() => setMessage(''), 3000);
}; };
const handleEdit = (user) => { const handleRoleChange = async (user, role) => {
setFormData({ name: user.name, role: user.role, pin: user.pin }); if (role === user.role) return;
setIsEditing(true); await db.updateTeamMember(user.id, { role });
setEditingId(user.id); await loadUsers();
flash(`${user.name} is now ${role}.`);
}; };
const handleDelete = async (id) => { const handleDelete = async (id) => {
@@ -56,24 +44,17 @@ const TeamManager = () => {
if (confirm("Are you sure you want to delete this user?")) { if (confirm("Are you sure you want to delete this user?")) {
await db.deleteTeamMember(id); await db.deleteTeamMember(id);
// Also remove from leaderboard // Also remove from leaderboard.
try { try {
const entry = await pb.collection('leaderboard').getFirstListItem(`user_id="${id}"`); const entry = await pb.collection('leaderboard').getFirstListItem(`user_id="${id}"`);
await pb.collection('leaderboard').delete(entry.id); await pb.collection('leaderboard').delete(entry.id);
} catch { /* no leaderboard entry, nothing to do */ } } catch { /* no leaderboard entry, nothing to do */ }
await loadUsers(); await loadUsers();
setMessage('User deleted.'); flash('User deleted.');
setTimeout(() => setMessage(''), 3000);
} }
}; };
const cancelEdit = () => {
setIsEditing(false);
setEditingId(null);
setFormData({ name: '', role: 'user', pin: '' });
};
return ( return (
<div className="space-y-8"> <div className="space-y-8">
{message && ( {message && (
@@ -82,58 +63,22 @@ const TeamManager = () => {
</div> </div>
)} )}
<Card className="border border-bg-warm"> <Card className="border border-bg-warm bg-bg-warm/30">
<h2 className="text-xl font-bold flex items-center gap-2 mb-4"> <p className="text-sm text-fg-muted flex items-start gap-2">
{isEditing ? <Edit2 size={20} className="text-teal" /> : <UserPlus size={20} className="text-teal" />} <Info size={16} className="mt-0.5 shrink-0 text-teal" />
{isEditing ? 'Edit Team Member' : 'Add New Team Member'} Team members are created automatically when they first sign in with their
</h2> Microsoft account. Admins are granted via the <code>ENTRA_ADMIN_EMAILS</code>{' '}
allow-list and re-synced on each login.
<form onSubmit={handleSave} className="flex flex-col sm:flex-row gap-4 items-end"> </p>
<div className="flex-1 w-full">
<Input
label="Full Name"
placeholder="e.g. Jane Doe"
value={formData.name}
onChange={e => setFormData({...formData, name: e.target.value})}
required
/>
</div>
<div className="flex-1 w-full">
<label className="block text-sm font-medium mb-1.5 text-fg">Role</label>
<select
value={formData.role}
onChange={e => setFormData({...formData, role: e.target.value})}
className="w-full h-11 px-3 rounded-[var(--r-sm)] border border-bg-warm bg-paper text-sm focus:outline-none focus:ring-2 focus:ring-teal/30 focus:border-teal"
>
<option value="user">User</option>
<option value="admin">Admin</option>
</select>
</div>
<div className="flex-1 w-full">
<Input
label="Login PIN"
type="text"
placeholder="e.g. 1234"
value={formData.pin}
onChange={e => setFormData({...formData, pin: e.target.value})}
required
/>
</div>
<div className="flex gap-2 w-full sm:w-auto">
<Button type="submit" className="w-full sm:w-auto h-11 px-6">
{isEditing ? 'Update' : 'Add'}
</Button>
{isEditing && (
<Button type="button" variant="outline" onClick={cancelEdit} className="h-11 px-4">
Cancel
</Button>
)}
</div>
</form>
</Card> </Card>
<Card className="p-0 border border-bg-warm overflow-hidden"> <Card className="p-0 border border-bg-warm overflow-hidden">
<div className="divide-y divide-bg-warm"> <div className="divide-y divide-bg-warm">
{users.length === 0 && (
<div className="p-6 text-sm text-fg-muted text-center">
No team members yet they appear here after their first sign-in.
</div>
)}
{users.map(user => ( {users.map(user => (
<div key={user.id} className="p-4 flex items-center justify-between hover:bg-bg-warm/30 transition-colors"> <div key={user.id} className="p-4 flex items-center justify-between hover:bg-bg-warm/30 transition-colors">
<div className="flex items-center gap-4"> <div className="flex items-center gap-4">
@@ -145,19 +90,26 @@ const TeamManager = () => {
{user.name} {user.name}
{user.id === state.currentUser?.id && <Tag variant="accent" className="text-[10px] py-0">You</Tag>} {user.id === state.currentUser?.id && <Tag variant="accent" className="text-[10px] py-0">You</Tag>}
</p> </p>
<p className="text-sm text-fg-muted">PIN: {user.pin}</p> <p className="text-sm text-fg-muted">{user.email}</p>
</div> </div>
</div> </div>
<div className="flex items-center gap-3"> <div className="flex items-center gap-3">
<Tag variant={user.role === 'admin' ? 'dark' : 'default'} className="hidden sm:inline-flex">{user.role}</Tag> <select
<button onClick={() => handleEdit(user)} className="p-2 text-fg-muted hover:text-teal transition-colors"> value={user.role || 'user'}
<Edit2 size={16} /> onChange={e => handleRoleChange(user, e.target.value)}
</button> disabled={user.id === state.currentUser?.id}
className="h-9 px-2 rounded-[var(--r-sm)] border border-bg-warm bg-paper text-sm focus:outline-none focus:ring-2 focus:ring-teal/30 focus:border-teal disabled:opacity-40"
aria-label={`Role for ${user.name}`}
>
<option value="user">User</option>
<option value="admin">Admin</option>
</select>
<button <button
onClick={() => handleDelete(user.id)} onClick={() => handleDelete(user.id)}
disabled={user.id === state.currentUser?.id} disabled={user.id === state.currentUser?.id}
className="p-2 text-fg-muted hover:text-red-500 disabled:opacity-30 transition-colors" className="p-2 text-fg-muted hover:text-red-500 disabled:opacity-30 transition-colors"
aria-label={`Delete ${user.name}`}
> >
<Trash2 size={16} /> <Trash2 size={16} />
</button> </button>

View File

@@ -0,0 +1,57 @@
import { describe, expect, it } from 'vitest';
import {
OIDC_PROVIDER,
parseAdminEmails,
resolveRole,
deriveName,
} from '../azureAuth';
describe('azureAuth', () => {
it('exposes the OIDC provider name used by authWithOAuth2', () => {
expect(OIDC_PROVIDER).toBe('oidc');
});
describe('parseAdminEmails', () => {
it('returns [] for empty/undefined input', () => {
expect(parseAdminEmails()).toEqual([]);
expect(parseAdminEmails('')).toEqual([]);
expect(parseAdminEmails(' ')).toEqual([]);
});
it('lower-cases, trims, drops blanks and de-duplicates', () => {
expect(parseAdminEmails(' RVE@respellion.nl , admin@respellion.nl ,, rve@respellion.nl'))
.toEqual(['rve@respellion.nl', 'admin@respellion.nl']);
});
});
describe('resolveRole', () => {
it('returns admin for an allow-listed e-mail (case-insensitive)', () => {
expect(resolveRole('RVE@respellion.nl', 'rve@respellion.nl')).toBe('admin');
});
it('returns user for a non-listed e-mail', () => {
expect(resolveRole('jane@respellion.nl', 'rve@respellion.nl')).toBe('user');
});
it('returns user when the allow-list is empty', () => {
expect(resolveRole('rve@respellion.nl', '')).toBe('user');
expect(resolveRole('rve@respellion.nl')).toBe('user');
});
});
describe('deriveName', () => {
it('prefers the OIDC name claim', () => {
expect(deriveName({ name: 'Raymond Verhoef' }, 'rve@respellion.nl')).toBe('Raymond Verhoef');
});
it('falls back to the e-mail prefix when no name claim', () => {
expect(deriveName({}, 'rve@respellion.nl')).toBe('rve');
expect(deriveName(undefined, 'jane.doe@respellion.nl')).toBe('jane.doe');
});
it('falls back to "Onbekend" with no usable input', () => {
expect(deriveName({}, '')).toBe('Onbekend');
expect(deriveName(null, null)).toBe('Onbekend');
});
});
});

56
src/lib/azureAuth.js Normal file
View File

@@ -0,0 +1,56 @@
/**
* Azure (Entra ID) authentication helpers.
*
* Canonical, unit-tested home for the small pieces of auth logic shared by the
* frontend. The PocketBase hook `pb_hooks/team_members.pb.js` re-implements
* `resolveRole` / `parseAdminEmails` in the JSVM runtime (it cannot import this
* module) — keep the two in sync.
*
* Login itself goes through PocketBase's built-in OAuth2 flow:
* pb.collection('team_members').authWithOAuth2({ provider: OIDC_PROVIDER })
* The OIDC provider ("oidc") is configured against Entra in migration
* 1781000000_team_members_to_auth.js.
*/
/** Provider name registered on the `team_members` auth collection. */
export const OIDC_PROVIDER = 'oidc';
/**
* Parse the ENTRA_ADMIN_EMAILS-style comma-separated allow-list into a
* normalised (lower-cased, trimmed, de-duplicated, empty-free) array.
* @param {string} [csv]
* @returns {string[]}
*/
export function parseAdminEmails(csv) {
if (!csv) return [];
const seen = new Set();
for (const part of String(csv).toLowerCase().split(',')) {
const email = part.trim();
if (email) seen.add(email);
}
return [...seen];
}
/**
* Resolve a user's role from their e-mail and the admin allow-list.
* @param {string} email
* @param {string} [adminEmailsCsv]
* @returns {'admin'|'user'}
*/
export function resolveRole(email, adminEmailsCsv) {
const allow = parseAdminEmails(adminEmailsCsv);
return allow.includes(String(email || '').trim().toLowerCase()) ? 'admin' : 'user';
}
/**
* Derive a display name from OIDC claims, falling back to the e-mail prefix.
* @param {{ name?: string }} [claims]
* @param {string} [email]
* @returns {string}
*/
export function deriveName(claims, email) {
const fromClaim = claims && typeof claims.name === 'string' ? claims.name.trim() : '';
if (fromClaim) return fromClaim;
if (email && email.includes('@')) return email.split('@')[0];
return 'Onbekend';
}

View File

@@ -197,7 +197,7 @@ const Admin = () => {
{activeTab === 'team' && ( {activeTab === 'team' && (
<div className="animate-in fade-in duration-300 max-w-4xl mx-auto"> <div className="animate-in fade-in duration-300 max-w-4xl mx-auto">
<h1 className="text-3xl text-teal mb-2">Team Management</h1> <h1 className="text-3xl text-teal mb-2">Team Management</h1>
<p className="text-fg-muted mb-8">Manage team members, roles, and login PINs.</p> <p className="text-fg-muted mb-8">Review team members and manage their roles. Accounts are created automatically via Microsoft (Azure) sign-in.</p>
<TeamManager /> <TeamManager />
</div> </div>
)} )}

View File

@@ -2,37 +2,25 @@ import { useState } from 'react';
import { useNavigate } from 'react-router-dom'; import { useNavigate } from 'react-router-dom';
import { useApp } from '../store/AppContext'; import { useApp } from '../store/AppContext';
import Card from '../components/ui/Card'; import Card from '../components/ui/Card';
import Input from '../components/ui/Input';
import Select from '../components/ui/Select';
import Button from '../components/ui/Button'; import Button from '../components/ui/Button';
const Login = () => { const Login = () => {
const { state, login } = useApp(); const { loginWithAzure } = useApp();
const navigate = useNavigate(); const navigate = useNavigate();
const [selectedUser, setSelectedUser] = useState('');
const [pin, setPin] = useState('');
const [error, setError] = useState(''); const [error, setError] = useState('');
const [busy, setBusy] = useState(false);
const userOptions = [ const handleAzure = async () => {
{ value: '', label: 'Select a user...' },
...state.users.map(u => ({ value: u.id, label: u.name }))
];
const handleLogin = (e) => {
e.preventDefault();
setError(''); setError('');
setBusy(true);
if (!selectedUser || !pin) { try {
setError('Please fill in all fields.'); await loginWithAzure();
return;
}
const success = login(selectedUser, pin);
if (success) {
navigate('/'); navigate('/');
} else { } catch (e) {
setError('Incorrect PIN.'); // PocketBase throws when the popup is closed or the token exchange fails.
setError(e?.message || 'Signing in with Microsoft failed. Please try again.');
setBusy(false);
} }
}; };
@@ -46,31 +34,17 @@ const Login = () => {
</div> </div>
<Card className="border border-bg-warm"> <Card className="border border-bg-warm">
<form onSubmit={handleLogin} className="flex flex-col gap-5"> <div className="flex flex-col gap-5">
<Select <p className="text-fg-muted text-sm text-center">
label="User" Sign in with your Respellion Microsoft account.
options={userOptions} </p>
value={selectedUser}
onChange={(e) => setSelectedUser(e.target.value)}
/>
<Input {error && <div className="text-red-500 text-sm font-medium text-center">{error}</div>}
label="PIN Code"
type="password"
inputMode="numeric"
pattern="[0-9]*"
maxLength={4}
placeholder="••••"
value={pin}
onChange={(e) => setPin(e.target.value)}
/>
{error && <div className="text-red-500 text-sm font-medium">{error}</div>} <Button onClick={handleAzure} disabled={busy} className="w-full">
{busy ? 'Signing in…' : 'Sign in with Microsoft'}
<Button type="submit" className="mt-2 w-full">
Sign In
</Button> </Button>
</form> </div>
</Card> </Card>
</div> </div>
</div> </div>

View File

@@ -1,6 +1,7 @@
import { createContext, useContext, useReducer, useEffect } from 'react'; import { createContext, useContext, useReducer, useEffect } from 'react';
import * as db from '../lib/db'; import * as db from '../lib/db';
import { pb } from '../lib/pb'; import { pb } from '../lib/pb';
import { OIDC_PROVIDER } from '../lib/azureAuth';
import { getPersonalWeekNumber } from '../lib/curriculumService'; import { getPersonalWeekNumber } from '../lib/curriculumService';
const AppContext = createContext(); const AppContext = createContext();
@@ -50,44 +51,40 @@ export function AppProvider({ children }) {
useEffect(() => { useEffect(() => {
const loadState = async () => { const loadState = async () => {
let members = await db.getTeamMembers(); // Restore the session from PocketBase's persistent auth store. The token
// is kept in localStorage by the SDK; authRefresh verifies it is still
if (!members || members.length === 0) { // valid (and that the Entra account hasn't been revoked) and returns the
// up-to-date record.
if (pb.authStore.isValid && pb.authStore.record?.collectionName === 'team_members') {
try { try {
const created = await db.addTeamMember({ name: 'Admin', role: 'admin', pin: '0000' }); const { record } = await pb.collection('team_members').authRefresh();
members = [created]; dispatch({ type: 'LOGIN', payload: record });
} catch (e) { } catch {
console.warn('[AppContext] Could not auto-create admin user:', e.message, // Token rejected (expired / account revoked) — drop the session.
'— Run scripts/setup-pb-collections.mjs to configure the database.'); pb.authStore.clear();
}
}
const sessionUserId = sessionStorage.getItem('respellion_session');
if (sessionUserId) {
const user = members.find(u => u.id === sessionUserId);
if (user) {
dispatch({ type: 'LOGIN', payload: user });
} }
} }
// The team list (leaderboard, dashboard) requires authentication now, so
// only load it once we have a valid session.
const members = pb.authStore.isValid ? await db.getTeamMembers() : [];
dispatch({ type: 'INIT_APP', payload: { users: members } }); dispatch({ type: 'INIT_APP', payload: { users: members } });
}; };
loadState().catch(console.error); loadState().catch(console.error);
}, []); }, []);
const login = (userId, pin) => { // Start the Entra (OIDC) login flow. PocketBase opens the provider popup,
const user = state.users.find(u => u.id === userId && u.pin === pin); // handles the token exchange server-side, and auto-provisions the record on
if (user) { // first login (see pb_hooks/team_members.pb.js).
sessionStorage.setItem('respellion_session', user.id); const loginWithAzure = async () => {
dispatch({ type: 'LOGIN', payload: user }); const authData = await pb.collection('team_members').authWithOAuth2({ provider: OIDC_PROVIDER });
return true; dispatch({ type: 'LOGIN', payload: authData.record });
} return authData.record;
return false;
}; };
const logout = () => { const logout = () => {
sessionStorage.removeItem('respellion_session'); pb.authStore.clear();
dispatch({ type: 'LOGOUT' }); dispatch({ type: 'LOGOUT' });
}; };
@@ -107,7 +104,7 @@ export function AppProvider({ children }) {
}; };
return ( return (
<AppContext.Provider value={{ state, dispatch, login, logout, enrollCurrentUser }}> <AppContext.Provider value={{ state, dispatch, loginWithAzure, logout, enrollCurrentUser }}>
{children} {children}
</AppContext.Provider> </AppContext.Provider>
); );